1) The deprecated --*_pkcs12 and --*_pin aliases should not be supported
in ipa-replica-install.

In ServerCA, inherit the knobs from BaseServerCA rather than
BaseServer.ca. The "#pylint: disable=no-member" will no longer be necessary.

In ipa-server-install help, there are 2 "certificate system" option
groups. This is a shortcoming in the installer framework, which will be
addressed in the future. For now, please inherit *all* knobs of
BaseServerCA in ServerCA as a workaround.

2) This check from ipa-replica-prepare should be added to
Replica.__init__() as well:
# If any of the PKCS#12 options are selected, all are required.
cert_file_req = (options.dirsrv_cert_files,
options.http_cert_files)
cert_file_opt = (options.pkinit_cert_files,)
if any(cert_file_req + cert_file_opt) and not
all(cert_file_req):
self.option_parser.error(
"--dirsrv-cert-file and --http-cert-file are required
if any "
"PKCS#12 options are used.")

The check is done when replica file is specified in the patch, but it
should be done only when replica file is *not* specified.

6) Please make the ca_is_enabled argument of install_replica_ds() and
install_http() mandatory and fill as appropriate when called, it will
make the code more readable.